Download presentation
Presentation is loading. Please wait.
1
COBIT® as a Risk Management Framework
John W. Lainhart IV CISA, CISM, CGEIT, CIPP/G Partner, Security, Privacy, Wireless & IT Governance IBM Global Business Services Principal Advisory to IT Governance Institute COBIT® as a Risk Management Framework
2
In This Presentation... The Governance Environment
An introduction to IT Governance An introduction to Control Objectives for Information and related Technology (COBIT®) Overview of COBIT® Supporting Materials COBIT® Mappings to Other Standards An introduction to ValIT™ An introduction to RiskIT™ Recently Announced Certification Program – CGEIT Questions
3
IT Governance, COBIT, ValIT and RiskIT Are Brought to You by …
4
IT Governance Institute
IT Governance Institute is a non-profit research think-tank associated with ISACA®
5
IT Governance Institute Product Suite
Governance, Security and Assurance Management Business and Technology Management Governance IT Governance Implementation Guide Information Security Governance Board Briefing on IT Governance COBIT Control Practices IT Assurance Guide COBIT 4.1 Val IT
6
The Governance Environment
7
Forces Driving IT Governance
Business/IT Alignment ROI Compliance Project Execution Security
8
What Makes IT Governance so important?
Strategic importance of IT Extended Enterprise Regulatory requirements Cost optimisation Return on investment Drivers Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful ITGI 2005 Survey early findings confirm concerns Low return from high-cost IT investments, and transparency of IT’s performance are two top issues More than 30% claim negative return from IT investments targeting efficiency gains 40% do not have good alignment between IT plans and business strategy Interest in and use of active management of the return on IT investments has doubled in 2 years (28% to 58%)
9
What makes IT Governance so important?
Shareholders want protection for the Enterprise’s Share Price “…if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprise’s ability as a going concern…” “…financial reporting system is not up to speed…” “…the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system…” “…data entry problems…”
10
The Premier IT Leaders polled by ComputerWorld Magazine put these projects at the top of their to-do lists for # 1 on this list is IT Governance, including business alignment From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc. IBM Confidential|
11
An Overview of IT Governance
12
What is IT Governance? “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.” ITGI, Board Briefing on IT Governance
13
IT Governance Needs a Management Framework
Driving Forces Map Onto the IT Governance Focus Areas STRATEGIC ALIGNMENT VALUE DELIVERY IT GOVERNANCE PERFORMANCE MEASUREMENT MANAGEMENT RISK RESOURCE MANAGEMENT
14
IT Governance Focus Areas
Strategic alignment, focuses on ensuring the linkage of business and IT plan; on defining, maintaining and validating the IT value proposition; on aligning IT operations with the enterprise operations; and establishing collaborative solutions to Add value and competitive positioning to the enterprise’s products and services Contain costs while improving administrative efficiency and managerial effectiveness
15
IT Governance Focus Areas
Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising expenses and proving the value of IT, and on controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc)
16
IT Governance Focus Areas
Risk management requires risk awareness of senior corporate officers, a clear under- standing of the enterprise’s appetite for risk and transparency about the significant risks to the enterprise; it embeds risk management responsibilities in the operation of the enterprise and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of operations
17
IT Governance Focus Areas
Resource management covers the optimal investment, use and allocation of IT resources and capabilities (people, applications, technology, facilities, data) in servicing the needs of the enterprise, maximising the efficiency of these assets and optimising their costs, and specifically focusses on optimising knowledge and the IT infrastructure and on where and how to outsource
18
IT Governance Focus Areas
Performance measurement, tracking project delivery and monitoring IT services, using balanced scorecards that translate strategy into action to achieve goals measur-able beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow.
19
IT Governance Life Cycle
20
IT Governance Control Cycle
21
IT Governance Control Cycle
Assess Environment Based on COBIT®, develop an approach for improved internal control to meet regulatory requirements that incorporates business and IT mission, vision, and strategy Establish risk management strategy Formally document existing processes
22
IT Governance Control Cycle
Maintain IT Controls Framework Develop controls framework to supports sound business decisions Document integration points in the current environment Create an organizational mechanism to support the governance of IT Mitigate identified risks through the IT controls framework
23
IT Governance Control Cycle
Develop & Refine Governing Documents Utilize a central repository for governing documents Develop a consistent approach for creating governing documents Consistently apply processes and procedures Gain executive commitment for IT governance frameworks and structure
24
IT Governance Control Cycle
Communicate and Train Provide “Tone at the Top” Develop a strategic communication plan for mission objectives and overall management direction Execute strategic communication plan Implement a standard training program to avoid unnecessary and redundant training
25
IT Governance Control Cycle
Implement and Operate Align staff responsibilities with IT control objectives Achieve sustainability of IT controls in the operational environment Support continuous improvement of operational effectiveness and accountability
26
IT Governance Control Cycle
Measure and Validate Revise current metrics program to include newly defined controls Verify the sustainability of defined controls Develop cost effective automated measurements Measure all processes to include Applications, Databases, Platforms and Networks
27
IT Governance Control Cycle
Monitor and Report Report on continued effectiveness of controls Increase transparency to auditors of issues and actions taken Accurately attest to IT’s compliance with policy, laws, and regulations Improve existing processes using metrics trending
28
IT Governance Control Cycle
Enforce Reinforce required policy compliance and standards conformance Define a consistent approach for enforcement across all processes
29
An Overview of COBIT
30
COBIT 4.1—The IT Governance Framework
IT Processes IT Management Processes IT Governance Processes CobiT best practices repository for COBIT Internationally accepted good practices Management-oriented Freely available Sharing knowledge and leveraging expert volunteers Continually evolving Maintained by reputable not-for-profit organisation Maps 100% to COSO Maps strongly to all major related standards Is a reference, set of best practices, not an “off-the-shelf” cure Enterprises still needs to analyse their control requirements and customise based on: Value drivers Risk profile IT infrastructure, organisation and project portfolio The only IT management and control framework that covers the end-to-end IT life cycle
31
COBIT: An IT Control Framework
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives Promotes process focus and process ownership Divides IT into 4 domains and 34 processes, with a total of 210 control objectives Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT Addresses the resources made available to and built up by IT Domains: 1. Plan & Organize 2. Acquire & Implement 3. Delivery & Support 4. Monitor & Evaluate Information Criteria: 1. Effectiveness 2. Efficiency 3. Availability 4. Integrity 5. Confidentiality 6. Reliability 7. Compliance IT Resources: 1. Applications 2. Information 3. Infrastructure 4. People
32
Key Driving Forces for COBIT
How IT is organised to respond to the requirements What the stakeholders expect from IT The resources made available to—and built up by—IT Business Requirements IT Resources IT Processes Plan and Organise Aquire and Implement Deliver and Support Monitor and Evaluate Applications Information Infrastructure People Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information reliability
33
IT Life Cycle COBIT Framework Business Objectives Criteria
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Resources Applications Information Infrastructure People Monitor and Evaluate Plan and Organise IT Life Cycle Deliver and Support Acquire and Implement
34
COBIT Processes Plan and Organise Acquire and Implement PO1
Define an IT Strategic Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Plan and Organise Acquire and Implement
35
COBIT Processes Deliver and Support Monitor and Evaluate ME1
Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance Monitor and Evaluate
36
COBIT PC and AC Processes
Process Goals and Objectives PC2 Process Ownership PC3 Process Responsibility PC4 Roles and Responsibilities PC5 Policy, Plans and Procedures PC6 Process Performance Improvement Process Controls AC1 Source Data Preparation and Authorization AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 Processing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling AC6 Transmission Authentication and Integrity Application Controls
37
Process Level Navigating in COBIT
38
Control Objectives P09.6 Maintenance and Monitoring of a Risk Action Plan Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any deviations to senior management.
39
Management Guidelines
40
Management Guidelines
41
Maturity Model
42
Maturity Levels in COBIT
Non-existent Initial Repeatable Defined Managed Optimised 1 2 3 4 5 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.
43
Dimensions of Process Maturity in COBIT
We capture process maturity data on each of six dimensions: Awareness and communication Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement
44
Leverage COBIT® Supporting Materials ...
45
Implementation Guide
46
Implementation Guide IT Governance Implementation Guide, 2nd Edition
Detailed, structured guidance to the implementation of IT governance Generic IT governance implementation guidance, not just COBIT
47
Control Practices
48
Control Practices COBIT Control Practices, 2nd Edition
Detailed guidance on each of the control objectives Management-oriented From three to 12 control practices per control objective
49
Assurance Guide
50
Assurance Guide IT Assurance Guide: Using COBIT
Detailed guidance to support assurance practitioners in: Financial statement audit Internal audit Value for money Operational improvement Guidance on: How to leverage COBIT for assurance Detailed assurance testing steps
51
Quickstart
52
Quickstart For small and medium sized organizations and larger organizations wanting to quickstart IT governance Selection of components from the complete COBIT framework Can be used as a baseline (set of “smart things to do”) for small and medium-sized enterprises and other entities where IT is not strategic or absolutely critical for survival Can also be a starting point for larger enterprises in their first moves toward an appropriate level of control and governance of IT
53
COBIT Security Baseline
54
COBIT Security Baseline - 44 Steps Toward Security
Define the security strategy - 1 Define the IT organisation and relationships - 1 Communicate management aims and direction - 1 Manage IT human resources - 4 Assess and manage IT risks - 3 Identify automated solutions - 1 Acquire and maintain application and technology infrastructure - 3 Enable operation and use - 1 Manage changes - 2 Install and accredit solutions and changes - 2 Define and manage service levels - 1 Manage third-party services - 3 Ensure continuous service - 3 Ensure systems security - 8 Manage the configuration - 2 Manage data - 3 Manage the physical environment - 2 Monitor and evaluate IT performance—assess internal control adequacy - 1 Obtain independent assurance - 1 Ensure regulatory compliance – 1 6 Information Security Survival Kits Home Users Professional Users Managers Executives Senior Executives Board of Directors/Trustees
55
COBIT Mappings to Other Frameworks and Standards
56
Where COBIT Typically Sits
King COSO Governance Layer COBIT Governance Layer IT ITIL 17799 Management Layer IT CMM TickIT
57
How COBIT Relates to Frameworks and Standards
Strategic 17799 COBIT Process Control CMM XY XY XY XY XY ITIL ## ## ## ## ## Process Execution Work Instruction Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6….
58
How COBIT Relates to Frameworks and Standards
Strategic 17799 COBIT Process Control CMM XY XY XY XY XY ITIL ## ## ## ## ## Process Execution Work Instruction Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6….
59
An Overview of ValIT
60
The Information Paradox
? The value of IT is being increasingly questioned... …yet organizations continue to spend more and more on IT SKIP 60
61
The Fundamental Question
Are we maximizing the value of our IT-enabled business investments such that: we are getting optimal benefits; at an affordable cost; and with an acceptable level of risk? Over the full economic life-cycle of the investment
62
Without Effective Governance
SYMPTOMS Situation Reluctance to say no to projects Lack of Strategic Focus Projects are “sold” on emotional basis -- not selected No strong review process Overemphasis on Financial ROI No clear strategic criteria for selection Can’t kill projects Leads to.. Too many projects Quality of execution suffers Underestimation of risks and costs Projects not aligned to strategy Budget overruns Project delays Business needs not met Lack of confidence (in IT) Results in.. Benefits not received Increased Complexity Sub-optimal use of resources Finger pointing Source: Fujitsu
63
Continuously Need to Question
The strategic question. Is the investment: In line with our vision? Consistent with our business principles? Contributing to our strategic objectives? Providing optimal value, at affordable cost, at an acceptable level of risk? In the value question. Do we have: A clear and shared understanding of the expected benefits? Clear accountability for realising the benefits? Relevant metrics? An effective benefits realisation process? Some fundamental questions about the value enabled by IT The architecture question. Is the investment: In line with our architecture? Consistent with our architectural principles? Contributing to the population of our architecture? In line with other initiatives? The delivery question. Do we have: Effective and disciplined delivery and change management processes? Competent and available technical and business resources to deliver: the required capabilities; and the organisational changes required to leverage the capabilities? Source: The Information Paradox
64
Val IT Processes & Key Management Practices
65
P3M -Projects, Programs, and Portfolios
Portfolio – a suite of business programmes managed to optimise overall enterprise value Portfolio Management Programme – a structured grouping of projects designed to produce clearly identified business value Programme Management Project Management Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget
66
Val IT Relationship between Processes & Practices
Establish governance framework VG1-4, 6 -7 Establish portfolio parameters VG Provide strategic direction VG5, 9-11 VG8 PM1-5 PM6 Maintain resource profile Maintain funding profile Evaluate & prioritize investments PM14 PM7-10 Move selected investments to active portfolio Manage overall portfolio Monitor & report on portfolio performance PM PM11 PM12-13 Analyse alternatives Assign accountability Document business case Identify business req’ts Define candidate programme IM4 IM9 IM1-2 IM8, 13 IM3, 5-7 Launch programme Manage programme execution Monitor & report on programme performance Retire programme IM IM10 IM 11-12 IM15 IM14
67
Val IT Initiative …a value lens into COBIT™
Are we doing the right things? Are we doing them the right way? Are we doing them well? Are we getting the benefits? PO AI ME DS PM VG IM Val IT Governance & management of a portfolio of business change programmes COBIT Governance & management of a portfolio of technology projects, services, systems & supporting infrastructure
68
Val IT Initiative Status
DONE Framework Business Case Case Study (initial) Extend FW to services & other IT assets/ resources & Simplify Maturity Models Management Guidelines Taxonomy QuickStart Guide 1st Qtr. of 2008 IN PROCESS Business Case v2.0 Empirical Analysis Benchmarking PLANNED Available for free download from: or
69
The Business Challenge
Maximizing value and reducing risk made possible by IT both enables and requires a through IT governance approach that: Ensures clarity of, and accountability for the desired outcomes Enables understanding of the full scope of effort Breaks down the “silos” and “connects the dots” Manage the full economic life-cycle Senses and responds to changes and deviations This is a significant leadership challenge, opportunity and responsibility!
70
The RiskIT Initiative
71
RISKIT DESCRIPTION A risk management framework that provides the missing link between enterprise risk management and IT Management and control, fitting in the overall IT Governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT A number of related services and products (practical guides, reference data, interfaces/mapping with other standards, …)
72
RISKIT ACTIONS ITGI Board discussion on this initiative and decision to proceed with full business case development (July 2007) Business Case development, (October 2007) including Market survey Feasibility study High-level design of the product/service Set-up project governance structure, incl. Core Team, expert team, identify project manager(s) and potential resources Define high-level development and roll-out plan ITGI Board approved detailed business case and decision to proceed with full project (November 2007) RiskIT Task Force members appointed (December 2007) First RiskIT Task Force meeting held in Ghent, Belgium on January 2008 First draft RiskIT planned to be issued by December 2008
73
RiskIT Processes & Key Management Practices
As of 19 January 2008 first Task Force meeting in Ghent, Belgium High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc
74
RISK IT Product Family – Proposed Content & Lifecycle
75
RELATIONSHIP OF COBIT/VALIT/RISKIT
76
Certified in the Governance of Enterprise IT (CGEIT)
77
Questions
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.